Posted by Lewis Ardern on November 13, 2018
Ahead of the upcoming shopping season, we’re spreading awareness of potential Black Friday and Cyber Monday security concerns affecting people who shop and sell online.
In anticipation of the upcoming holiday shopping season, we want to help spread awareness of potential Black Friday and Cyber Monday security concerns affecting people who either buy or sell products or services through digital means. There are many scams that fraudsters attempt when targeting victims online. Falling for a scam can be as simple as clicking on an email link or visiting an insecure website where attacks take place in the background, without your knowledge or consent. Here we’ll cover common attacks and, more importantly, some practical advice to identify phishing and other attacks to reduce your chances of falling victim to online scams and fraud.
Security is all about trade-offs. Security can easily be achieved by disconnecting—but you can’t do anything without connecting. It’s just a fact that shopping online entails risks and so must be approached with awareness.
Image credit: The Verge on Twitter
Let’s use Amazon Key as an example. It’s great for customers who have had packages stolen from their doorsteps, and it ultimately reduces fraud and financial loss. But in the meantime, attackers—in this case, burglars—want to unlock houses that use Amazon Key. Through this service, an attacker could potentially unlock your front door. It would require a breach of some sort: attacking the organization, obtaining a valid key to unlock the door, or finding a software vulnerability in the smart lock software. But while Amazon might have escaped major breaches recently, it has had breaches in the past.
Now the question concerns the trade-off between having a package stolen or your house broken into. Amazon Key is a risk issue. What I mean is that if you have stuff constantly stolen from your porch, the trade-off between the risk of your stuff being stolen and the risk of your house being broken into is actually a good one. Stuff being stolen is a common occurrence, but how many people have their houses broken into? We should acknowledge there are risks, but for many, Amazon Key is a good idea to reduce the loss of things they’ve paid for and ensure their packages remain safe. The door cannot be opened without consent, and there’s video. We also know:
So for those who choose to use Amazon Key, the risk is acceptable—and if you know the risks and don’t accept the trade-off, you just don’t use Amazon Key. But what about people who buy or sell online, where you don’t know who the “drivers” or “burglars” are, you can’t record them on video, and there are plenty of ways for attackers to access your information without your consent?
Scammers first approach you in a way to ensure you, or someone else, will fall for a scam. They spread a wide net through legitimate websites such as Craigslist, Amazon, and eBay. They also create fake advertisements and even e-commerce websites that can be found through online searches, email, or text messages.
To obtain sensitive information, scammers deploy a range of tactics to make victims hand over their information:
Once they’ve gained the trust of their victim, the scammers simply cash out, walking away with personal information such as the victim’s name, address, and date of birth. If the victim signed up on the fake website, the scammers have also captured the victim’s username and password, which the victim may have used elsewhere, such as on PayPal. Finally, scammers want to get as much cash from victims as possible and thus often capture credit card details or take money for items that do not exist.
With the immense volume of personal information being passed to websites, stored in databases, and even shared with third parties, it’s no wonder people are now calling data the new oil. The way we handle our data and provide data to companies, and the way they secure it, are the common factors in today’s identify theft cases. In 2017 the BBC released an article stating that 88% of recorded incidents occurred online.
Image credit: BBC News
As you can see, identity theft is increasing yearly. This might be from security breaches, where someone has found a way to gain a foothold within an organization, or from users entering or handling their personal information insecurely.
When scammers obtain your information—for example, through a data breach—they might attempt to do the following:
A data breach is out of a user’s control; however, the goal of scammers is not only to profit from you by impersonating you but also to gain control of your devices. This allows them to expand their attack surface so they can continue to benefit from you. Today’s criminals will attempt to persuade you to install malicious software on your devices—for example, keyloggers to exfiltrate every key you press. If they can install a keylogger, they can capture your credentials for every website you visit and read sensitive information in every email you write.
Scammers have a wide range of tools to get your information:
Phishing is a common technique used by scammers, fraudsters, and other types of attackers. Phishing coerces a user into clicking a link. On the other end of the link is a method for scammers to either extract information from the user or spread malicious software.
Phishing doesn’t affect just the gullible; it can affect anyone. In fact, everybody knows somebody who has fallen victim to one of these scams:
An example of an insecure website includes one loaded over HTTP and thus sent in clear text. Another example of website insecurity involves sensitive information being sent over insecure channels that can be captured.
I like to think about HTTP this way: You are in a public place and overhear Bob talking to Alice about how silly passwords are. Bob says he uses the name of his favorite baseball team, the San Francisco Giants, and the year they won their last World Series. Alice says she has a very strong password that nobody can guess; it’s a combination of the names of her dog Buster, her son Jerry, and her daughter Janyce.
That’s not very secure. Someone just overheard both of their passwords. This is just like HTTP. When you visit a website over HTTP, it’s the same as if you were talking in a public place near someone listening. Anything you send over HTTP can be captured by scammers. The good news is that unlike in the outside world, a web browser will tell you, “Hey, this is actually an insecure website. Maybe don’t enter sensitive information here.” In real life, you aren’t going to get someone waving at you and telling you the same.
Unsecured Wi-Fi hotspots pose a major security risk. Anyone could be listening in to insecure traffic. Additionally, attackers may be running the Wi-Fi networks. They could be siphoning usernames, passwords, or other confidential information.
Have you or your friends ever used a public computer for online shopping? Could you ensure that the computer had not been compromised? Keylogging is an attack in which someone with malicious intent captures keystrokes entered on a system in an attempt to grab:
It’s very easy to visit the wrong domain. For example, “Synopsys.com” could be typed as “Synopsis.com” or “Syn0psys.com.” And sometimes visiting the wrong domain opens you up to a cybersquatting or typosquatting attack. Wikipedia defines “cybersquatting” as “registering, trafficking in, or using an Internet domain name with bad faith intent to profit from the goodwill of a trademark belonging to someone else.”
Scammers lure users to their sites with common victim accidents (e.g., mistyping the URL) or phishing email scams, with these goals:
A perfect example of how easy it is to be directed to the wrong URL is last year’s incident in which Equifax’s Twitter users were told by the verified Equifax account to visit http://securityequifax2017.com/ rather than https://www.equifaxsecurity2017.com. This proves that the secure lock icon next to the URL is not a guarantee that the website is legitimate.
If it’s too good to be true, it usually is!
Always enable multifactor authentication. Types of verification include these, from strongest to weakest:
Note that SMS verification should be phased out; although it is stronger than passwords, it is only as good as SS7 (terrible) and telco porting procedures (also terrible).
Remembering different passwords for all your websites and accounts is hard. But security people love to tell you to do it. So consider using a password manager, an application that securely manages passwords for all your accounts.
Backups protect you against data loss, device malfunction, and ransomware.
Get the latest Software Integrity news, thought leadership, and more.